298 Failed Login Attempts on France Dedi SSH

HuntersPad

Should I be concerned??! This is my FIRST time logging to my new Dedi via SSH since it was setup this morning. So These 298 Failed Logins have happened in the last 5 hours. Should I worry and get a new IP? or what I have NEVER had this issue before on any Dedi or VPS I have had.

Last failed login: Tue Aug 19 16:43:12 CEST 2014 from 211.190.x.xx on ssh:notty
There were 298 failed login attempts since the last successful login.

rethinkvps

Change your SSH port and install Fail2Ban.

HuntersPad

How woul> @rethinkvps said:

Change your SSH port and install Fail2Ban.

How would i go about changing SSH port?

Wow... I just noticed the last failed IP is from the Republic of Korea lol

wojons

I would keep the same ssh port but thats just personally but fail2ban works great also use ssh keys and not passwords.

rethinkvps

hyelton said: How would i go about changing SSH port?

Google "Change SSH port YOUROS" and it will be the first result.

wych

How would i go about changing SSH port?

Hire someone who can admin the system if you are unsure else this is going to end badly for you.

HuntersPad

@wych said:
Hire someone who can admin the system if you are unsure else this is going to end badly for you.

I have been running a few dedicated servers and VPS`s for a year now with heavy traffic websites and NOT once have I ran into anything like this.

I`m a person not a business I cant just afford to pay someone, I barely make enough with AdSense to pay for the server.

Leechum

@hyelton said:
I`m a person not a business I cant just afford to pay someone, I barely make enough with AdSense to pay for the server.

then go for managed VPS instead of dedi or use shared hosting

HuntersPad

@Leechum said:
then go for managed VPS instead of dedi or use shared hosting

Managed VPS ?? Really? Shared Again really??

I`d be paying hundreds of Dollars for a managed VPS and Shared is out of the question...

I have over 600GB of Files and I do over 30+TB of BW a month...

MSPNick

@hyelton said:
I`m a person not a business I cant just afford to pay someone, I barely make enough with AdSense to pay for the server.

Personally. I'd go for a vps. Something lightweight and can be picked up for pennies. Or $7 to be exact.

HuntersPad

@MSPNick said:

Please read post above ^^ $7 VPS wont cut it lol. I do 30+TB of BW each month and have 600+GB of files.

wych

@hyelton, no offense but I doubt you have never ran into anything like this. I think it is more you never noticed it. Thats like when @Bella said he/she had not been hacked.

Have a read up on some of the honeypot and security threads on here that may point you in the right direction of steps to take.

Leechum

@hyelton said:
I have over 600GB of Files and I do over 30+TB of BW a month...

if you don't have a license to drive a truck you hire someone to deliver your stuff for you. same rule applies here - you've no clue how to manage a server yet you MUST have one

MSPNick

@hyelton said:
Please read post above ^^ $7 VPS wont cut it lol. I do 30+TB of BW each month and have 600+GB of files.

Didn't notice this at all. I'm very sorry.

HuntersPad

@wych said:
hyelton, no offense but I doubt you have never ran into anything like this. I think it is more you never noticed it.

Have a read up on some of the honeypot and security threads on here.

Thats like when Bella said they had not been hacked.

The only "Hacked" Things Ive ran into was back when I was small enough to be with Shared Accounts. But what gets me is this is a BRAND NEW Dedi nothing install at all but CentOS lol Unless I have a very known IP of some sort but Ive never had so many failed logins, I may have had 5 failed / attempted logins in a year.

HuntersPad

I understand but I dont make a enough money to "Hire" someone. I might as well not run a server if I`m gonna have to be paying out of pocket. Wouldnt be worth it. I was just asking for advice on the failed logins as I thought it was a rediclus amount and its never happened before.

Fail2Ban seemed to have stopped it. I was averaging 3 Failed logins every few minuets now its stopped.

jvnadr

Here are directions on how to change ssh port on Ubuntu/Debian

Create a new user that fits to you:

adduser <place your desired username>
visudo

Then, add your new username to file

<username> ALL=(ALL:ALL) ALL

COnfigure your ssh access to fit to the new user and disable port 22
Open this file

nano /etc/ssh/sshd_config

Edit and then, save:

Port <put here a port you prefer>
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
UseDNS no
AllowUsers <your new username>

If there is port 22 in ssh config, remove it

Restart SSH:

service ssh restart

Before closing session in putty, open a new to test that the new login username and port works (connect with ip:newport, new username and password for the new username)

WHAT TO DO IF NEW CREDENTIALS DON'T WORK, SO YOU DON'T LOOSE ACCESS TO YOUR SERVER

If this works, close the first connection. If not, edit again sshd_config allowing again root and port 22, to troubleshoot

Port 22
PermitRootLogin yes

If all went OK with disabling root access, then install fail2ban this way

Gain access to your server as sudo

sudo -su

Run this

apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

Edit those lines:

destemail = <put your mail here>
action = %(action_mwl)s

[ssh]

enabled  = true
port     = <your new port number>
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 10

[ssh-ddos]

enabled  = true
port     = <your new port number>
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 10

Last thing is to restart Fail2Ban:

sudo service fail2ban restart

Hope that works for you (for centos systems, the procedure is similar. If you want details for centos, pm' me)

P.S. It would be even more secure to disable password login and use ssh keys, but I know sometimes this can cause limits to accessing for various locations and not only from office/home your servers. I think that disabling port 22 and root login, combined with fail2ban, should be OK in most of cases.

jvnadr

rethinkvps said: Google "Change SSH port YOUROS" and it will be the first result.

This is what I'm getting in Google:

Do you mean: Change SSH port EUROS

(Just kidding, poster means "Change SSH port --place-here-the-operating-system--"

HuntersPad

Not sure if installing fail2ban caused a problem or the fact its CentOS 7 But Webuzo Will NOT install So Now Im having to wait prob another 12 hours for another OS Re-Install., This time hopefully they`ll do CentOS 6.5

wych

@hyelton said:
Not sure if installing fail2ban caused a problem or the fact its CentOS 7 But Webuzo Will NOT install So Now Im having to wait prob another 12 hours for another OS Re-Install., This time hopefully they`ll do CentOS 6.5

What errors?

orak

@hyelton said:
Not sure if installing fail2ban caused a problem or the fact its CentOS 7 But Webuzo Will NOT install So Now Im having to wait prob another 12 hours for another OS Re-Install., This time hopefully they`ll do CentOS 6.5

Or you could uninstall fail2ban and see if thats the problem? OS whipes do not magically fix issues - which 90% of the time are caused by inexperienced users.

HuntersPad

@orak said:
Or you could uninstall fail2ban and see if thats the problem? OS whipes do not magically fix issues - which 90% of the time are caused by inexperienced users.

I have installed Webuzo 30 or more times...

yum update

1. wget -N http://files.webuzo.com/install.sh

2. chmod 0755 install.sh

3. ./install.sh

Theres NOT much that can go wrong there.....

Im assuming its to do with it running CentOS 7. Webuzo`s page says its for 5x/6x Not sure if it matters that its Centos 7 or not.
"
This is the error.
"The following errors occured :
Could not make the Webuzo binary
ERROR :
There was an error while installing Webuzo
Please check /root/webuzo-install.log for errors
Exiting Installer
"

wych

@hyelton said:
Please check /root/webuzo-install.log for errors Exiting Installer "

"check /root/webuzo-install.log"

Theres NOT much that can go wrong there.....

No its not as though that is the whole install script.

Again...

@wych said:
What errors?

HuntersPad

@wych said:

I have removed fail2ban and it still has an error. I did check the log. Only thing in the log I had seen was it installing no errors. But now I checked again and seen this

--2014-08-19 17:34:48--  http://mirror.softaculous.com/webuzo/webuzo.repo
Resolving mirror.softaculous.com (mirror.softaculous.com)... 148.251.68.24
Connecting to mirror.softaculous.com (mirror.softaculous.com)|148.251.68.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 124 [text/plain]
Saving to: ‘/etc/yum.repos.d/webuzo.repo’

     0K                                                       100% 29.7M=0s

2014-08-19 17:34:48 (29.7 MB/s) - ‘/etc/yum.repos.d/webuzo.repo’ saved [124/124]

/bin/ln: failed to create symbolic link ‘/usr/sbin/chkconfig’: File exists
Loaded plugins: fastestmirror, langpacks
http://mirror.softaculous.com/webuzo/7/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found
Trying other mirror.


 One of the configured repositories failed (Virtualizor Repo),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Disable the repository, so yum won't use it by default. Yum will then
        just ignore the repository until you permanently enable it again or use 

HuntersPad

Which seening this
http://mirror.softaculous.com/webuzo/7/x86_64/repodata/repomd.xml

Makes me to believe it is due to it being CentOS 7. As its checking /7 and there is nothing there. Replace it with /6 and there is everything it needs

gsrdgrdghd

hyelton said: How would i go about changing SSH port?

if you run a server but don't know how to change the SSH port (or how to google that question) your server will get hacked sooner or later. Just saying.

HuntersPad

@gsrdgrdghd said:
if you run a server but don't know how to change the SSH port (or how to google that question) your server will get hacked sooner or later. Just saying.

I know how to Google it.... I was just checking. Not worried about changing SSH port right now.

wych

Update your repo that it wants manually (may have other side effects) or use a supported OS.

Blanoz

Please follow a basic Linux administration course. Luckly for you, a very good one has already started. And it's free.

https://www.edx.org/course/linuxfoundationx/linuxfoundationx-lfs101x-introduction-1621

And use Google, dammit!
Good luck.

HuntersPad

Off-Topic: I really wish OneProvider had an automatic OS install, There support is sort of lacking.

For the 3rd time I asked for CentOS 6.4 or 6.5 64bit to be installed. Each time they install CentOS 7 and the last time I provided them with an 6.5 ISO.

Lm85H4gFkh3wk3

Dictionary and Brute Force Attacks are uber common. Consider yourself extremely lucky not to have seen them in the past. Now equip yourself with the tools you need to protect against them and you won't have to worry about them in the future as much.